Headline
GHSA-hfj7-542q-8fvv: DiracX-Web is vulnerable to attack through an Open Redirect on its login page
Summary
An attacker can forge a request to redirect an authenticated user to any arbitrary website.
Details
On the login page, we have a redirect field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI.
Paired with a parameter pollution, we can hide our malicious URI (ex: https://dns.com/?param1=im_hidden_if_theres_lot_of_args?param1=bbb).
PoC
https://diracx-cert.app.cern.ch/auth?redirect=https://ipcim.com/en/where/?dsdsd=qsqsfsjfnsfniizaeiaapzqlalkqkaizqqijsjaopmqmxna?redirect=https://diracx-cert-app.cern.ch/auth
This POC can leak user’s position.
Impact
This could be used for phishing and extracting new data (such as redirecting to a new “log in” page, and asking users to reenter credentials).
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.